networkingvirtualizationnetwork-plusIntermediate21 min read

What Is Virtual Extensible LAN in Networking?

Also known as: Virtual Extensible LAN, VXLAN, network virtualization, overlay network, Network+ exam

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

VXLAN is like a way to pretend that all your computers are on the same local network even when they are physically in different buildings or data centers. It wraps up network traffic with extra addressing to travel across the internet or a large corporate network. This allows thousands of separate virtual networks to exist without interfering with each other.

Must Know for Exams

VXLAN appears prominently in the CompTIA Network+ (N10-008 and N10-009) exam objectives, specifically under domain 1.0 Networking Fundamentals and domain 2.0 Network Implementations. The exam expects candidates to understand the basic concept of network virtualization, the difference between traditional VLANs and VXLAN, and the use cases for VXLAN in modern networks. While Network+ does not require deep configuration knowledge, it does test the understanding that VXLAN is used to create overlay networks that span across Layer 3 boundaries.

In the CompTIA Cloud+ exam, VXLAN is discussed in the context of virtual networking for cloud environments. Candidates are expected to know how VXLAN enables multi-tenancy and virtual machine mobility. The exam may ask which technology allows a virtual network to exist across multiple physical hosts without requiring changes to the physical network.

The Cisco CCNA exam places more emphasis on VXLAN, especially in the newer exam versions that cover data center networking. CCNA candidates should understand VXLAN encapsulation, the role of VTEPs, and the difference between VXLAN and traditional VLANs. The exam may present scenario questions where a company needs to extend a Layer 2 network across a routed network, and the correct answer is VXLAN.

For cloud exams like AWS Certified Solutions Architect or Azure Administrator, VXLAN is indirectly relevant because it is the underlying technology for Virtual Private Clouds (VPCs) and virtual networks in these platforms. While exam questions may not mention VXLAN by name, understanding the concept helps candidates grasp how cloud providers achieve network isolation and scalability.

Simple Meaning

Think of VXLAN as a magical tunnel system for network traffic. Normally, a local area network (LAN) works well inside one building or campus, but it cannot stretch far because of physical and technical limits. VXLAN solves this by taking data from one part of a network and putting it inside a special envelope that can travel across the internet or a large corporate network. This envelope carries a label that tells the network where the data came from and where it should go once it reaches the other side.

Imagine you are sending a letter inside your office building. The internal mail system works great because the mailroom knows every desk and department. Now imagine you want to send that same letter to a colleague who moved to an office in another city. You cannot simply drop it in the internal office mail system. Instead, you put the letter inside a larger envelope that has the full address of the other office building. When that envelope arrives, someone opens it and delivers the original letter to the correct desk.

VXLAN does exactly this for network data. It takes the original data frame (the internal letter) and wraps it in a new packet that has the IP address of the destination server or switch (the outer envelope). This outer packet can travel across any IP network, including the internet. Once it reaches the destination, the wrapping is removed, and the original data is delivered to the correct virtual machine or server.

This technology is critical for cloud computing and data centers. When a company runs hundreds or thousands of virtual machines across many physical servers, VXLAN allows them to create as many isolated virtual networks as needed. Each virtual network can have its own settings, security rules, and even its own numbering system, without interfering with other networks. The magic number is that a traditional LAN can only support about 4000 separate networks using a technology called VLAN (Virtual LAN). VXLAN supports over 16 million. That is why it is called "extensible".

Full Technical Definition

Virtual Extensible LAN is a network virtualization technology defined in RFC 7348. It addresses the limitations of traditional VLANs by using MAC-in-UDP encapsulation to create overlay networks on top of an existing Layer 3 infrastructure. The core idea is to take a standard Ethernet frame and encapsulate it inside a UDP (User Datagram Protocol) packet, which is then sent over an IP network.

The encapsulation format adds an 8-byte VXLAN header that contains a 24-bit segment identifier called the VXLAN Network Identifier or VNI. This identifier allows for up to 16 million unique virtual networks, in contrast to the 4094 limit imposed by the 12-bit VLAN ID in 802.1Q. The original Ethernet frame is placed after the VNI, and the entire structure is wrapped with a UDP header, an outer IP header, and an outer Ethernet header for transit across the physical network.

VXLAN typically relies on a process called flooding and learning for initial discovery of endpoints. When a switch or hypervisor receives a frame destined for a MAC address it does not know, it floods the frame to all VTEPs (VXLAN Tunnel Endpoints) in the same VNI. The destination VTEP responds, and both ends learn each others MAC addresses and IP addresses. In modern deployments, this is often replaced or supplemented by a control plane protocol such as MP-BGP EVPN (Multiprotocol BGP Ethernet VPN), which distributes MAC and IP reachability information efficiently.

Implementation in real IT environments usually happens at the hypervisor level in virtualized data centers. Hypervisors like VMware ESXi, Microsoft Hyper-V, KVM, and XenServer include built-in VXLAN support. The VTEP is typically the hypervisor itself or a physical switch that acts as a gateway. Physical network switches can also support VXLAN, often called hardware VTEPs, which bridge the virtual overlay network with the physical underlay network.

VXLAN is commonly used in multi-tenant data centers, cloud provider environments, and large enterprise networks where users need to extend Layer 2 domains across multiple racks, rows, or even geographical sites. It works over any IP network, including the public internet, though performance and security considerations often require encrypted tunnels like IPsec or wireguard when traversing untrusted networks.

Real-Life Example

Imagine a large hospital with multiple buildings spread across a city. Each building has its own internal phone system that connects rooms and departments within that building. This is like a traditional LAN. The problem is that a doctor in Building A needs to call an x-ray machine in Building B and have it ring exactly the same way as if it were in the same building. The hospital cannot simply connect all the buildings with a single phone cable because the distance is too far.

The solution is to use an external phone network. The hospital installs a special phone gateway in each building. When a doctor dials the x-ray machine in Building B, the gateway in Building A wraps that internal call into a standard phone call that goes over the external phone network. The external network routes the call to the gateway in Building B, which unwraps it and delivers it to the x-ray machine as if it were a local call. Each department gets its own extension number, and calls from different departments do not interfere because the gateways keep track of which call belongs to which department.

In this analogy, each building is a physical data center or network segment. The phone gateways are VTEPs. The wrapping of the internal call into an external call is the encapsulation process. The external phone network is the IP underlay network. The department extension numbers are VNIs, which separate traffic from different departments or tenants. A doctor can call any device in any building as long as both devices are part of the same department (same VNI), regardless of which building they are in. This is exactly how VXLAN allows virtual machines in different physical locations to communicate as if they were on the same local network.

Why This Term Matters

VXLAN matters because it directly solves two of the biggest problems in modern networking: scalability and mobility. Traditional VLANs, which use 802.1Q tagging, are limited to 4094 networks. In a large data center with thousands of tenants or applications, this limit is quickly reached. VXLAN expands this to over 16 million networks, making it possible to give each customer or application a completely isolated virtual network.

Mobility is the second critical factor. In virtualized environments, virtual machines need to move between physical servers for load balancing, maintenance, or disaster recovery. With traditional VLANs, moving a virtual machine to a different physical location often requires network reconfiguration, as the VLAN may not be available on the new switch. VXLAN allows the virtual machine to keep its IP address and MAC address regardless of where it physically moves, as long as the VNI is reachable. This enables seamless live migration of workloads across racks, rows, and even data centers.

Network security also benefits. Because VXLAN creates isolated virtual networks, traffic from one VNI cannot see or interact with traffic from another VNI unless explicitly routed through a gateway. This provides inherent tenant isolation, which is essential for multi-tenant cloud environments and for compliance requirements like PCI-DSS or HIPAA.

For system administrators and network engineers, VXLAN simplifies network design. Instead of planning complicated VLAN trunking and spanning tree configurations, engineers can rely on IP routing, which is more scalable and resilient. The underlay IP network can be a simple routed fabric, while the overlay VXLAN networks provide the Layer 2 connectivity that applications require. This separation of concerns is a foundational principle in modern data center design.

How It Appears in Exam Questions

Exam questions about VXLAN typically fall into several patterns. The most common is the scenario question. For example: A large organization wants to move a virtual machine from its main data center to a disaster recovery site located 50 miles away without changing the virtual machines IP address or MAC address. Which technology makes this possible? The correct answer is VXLAN because it can extend the Layer 2 network over the Layer 3 connection between sites.

Another common pattern is comparison questions. These ask the candidate to compare VXLAN with traditional VLANs. A typical question might be: What is the primary limitation of 802.1Q VLANs that VXLAN addresses? The answer is the 4094 VLAN limit. Candidates are expected to know that VXLAN uses a 24-bit identifier, allowing over 16 million segments.

Configuration questions are less common in entry-level exams but appear in vendor-specific certifications. These questions might ask: Which component performs VXLAN encapsulation and decapsulation? The answer is the VTEP or VXLAN Tunnel Endpoint. Candidates should know that a VTEP can be a hypervisor, a physical switch, or a software router.

Troubleshooting questions often center on connectivity issues in overlay networks. For instance: Two virtual machines are on the same VNI but cannot communicate. What is a likely cause? Possible answers include a misconfigured VTEP, incorrect IP routing in the underlay network, or a firewall blocking UDP port 4789, which VXLAN uses. Understanding that VXLAN uses specific UDP ports is essential.

Architecture questions ask about where VXLAN fits in a network design. Example: In a spine-leaf network architecture, where is VXLAN typically implemented? The answer is at the leaf switches or hypervisors, acting as VTEPs. Candidates should understand that VXLAN is an overlay that runs on top of the physical spine-leaf fabric.

Practise Virtual Extensible LAN Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

GreenTree Enterprises runs a chain of retail stores and a centralized inventory system. The company uses a data center in Chicago to host all its servers. Recently, they acquired a smaller company with its own data center in Dallas. The IT manager wants to move several inventory management virtual machines from the Dallas data center to the Chicago data center to consolidate operations. These VMs need to keep their existing IP addresses because the inventory system is configured with those addresses in many store locations.

The network team initially tried to use a standard VPN connection between the two data centers. However, the inventory system required Layer 2 connectivity, meaning the VMs needed to see each other as if they were on the same physical switch. A standard VPN provides Layer 3 connectivity, which changes how the VMs communicate. The team then configured VXLAN between the two data centers. They set up a VTEP on a hypervisor in Dallas and another VTEP on a hypervisor in Chicago. They assigned the same VNI to both VTEPs. When the VMs in Dallas were moved to Chicago, the VXLAN tunnel allowed them to keep their original MAC addresses and IP addresses. The store systems continued to communicate with the inventory VMs without any changes. The transition was seamless, and the consolidation project succeeded without any downtime or reconfiguration of the stores.

Common Mistakes

Thinking VXLAN is a replacement for the physical network.

VXLAN is an overlay technology that runs on top of the existing physical IP network. It does not replace routers, switches, or cabling. The underlay network must still be properly designed and configured for VXLAN to work.

Think of VXLAN as a software layer that rides on your physical network. The physical network is still essential for moving packets between VTEPs.

Believing VXLAN works with any network protocol without configuration.

VXLAN specifically uses UDP encapsulation on port 4789. The underlying IP network must allow this traffic. Firewalls, ACLs, and routing policies must be adjusted to permit VXLAN packets.

Always verify that UDP port 4789 is open between all VTEPs. Check that IP routing exists between the source and destination VTEP IP addresses.

Confusing VXLAN with VPN.

While both use encapsulation, VXLAN is designed to create Layer 2 overlays for Ethernet frames, not to provide encryption or secure tunnels. VXLAN itself has no encryption. VPNs provide encrypted tunnels, but they are Layer 3 connections.

Understand that VXLAN is for network segmentation and extension, not security. If encryption is needed, VXLAN must be combined with IPsec or another encryption protocol.

Assuming that VXLAN eliminates the need for routing.

VXLAN creates Layer 2 overlays, but traffic that needs to leave the VXLAN segment (to the internet, for example) must still be routed. VXLAN does not replace routing; it uses routing in the underlay network to transport encapsulated packets.

Remember that VXLAN extends Layer 2 domains, but routing is still required for inter-VNI communication and for traffic destined outside the VXLAN domain.

Thinking that all VXLAN implementations work the same way.

VXLAN can be implemented in different modes: multicast-based flooding and learning, or using a control plane like MP-BGP EVPN. These modes have different requirements and advantages. Not knowing the difference can lead to incorrect configuration.

Learn the two main deployment models. Multicast-based VXLAN is simpler but less efficient. EVPN-VXLAN is more scalable and is the standard in modern data centers.

Exam Trap — Don't Get Fooled

A question states that VXLAN uses TCP as its transport protocol. Memorize that VXLAN specifically uses UDP as its transport protocol, and the destination port is 4789 by default. VXLAN does not use TCP because it does not require retransmission or flow control at the encapsulation layer. The original higher-layer protocols handle reliability.

Commonly Confused With

Virtual Extensible LANvsVLAN (Virtual LAN)

VLAN uses 802.1Q tagging with a 12-bit identifier to create up to 4094 separate broadcast domains within a single physical switch or between switches. VXLAN uses a 24-bit VNI to create over 16 million networks and can span across Layer 3 boundaries, while VLANs are limited to a Layer 2 domain.

VLAN is like labeling envelopes with a colored sticker that only works inside one office building. VXLAN is like putting that envelope inside a larger envelope that can be mailed anywhere.

Virtual Extensible LANvsMPLS (Multiprotocol Label Switching)

MPLS is a WAN technology that uses labels to forward packets quickly across a service provider network. VXLAN is a data center virtualization technology that creates overlay networks on existing IP infrastructure. MPLS typically operates at Layer 2.5, while VXLAN encapsulates Layer 2 frames inside Layer 4 UDP packets.

MPLS is like a priority lane on a highway system that uses short codes to route traffic faster. VXLAN is like building a new road on top of existing highways using tunnels.

Virtual Extensible LANvsGRE (Generic Routing Encapsulation)

GRE is a simple tunneling protocol that can encapsulate a wide variety of network layer protocols. It does not have a built-in network identifier like VXLANs VNI, so it cannot isolate multiple tenants. GRE tunnels are point-to-point, while VXLAN supports multipoint-to-multipoint communication.

GRE is like a single pipe connecting two buildings. You can send any type of water through it, but only one stream. VXLAN is like many labeled pipes inside one larger pipe, each carrying separate water streams.

Step-by-Step Breakdown

1

Frame Origination

A virtual machine or physical server sends a standard Ethernet frame destined for another device within the same VXLAN segment. This frame has a source MAC address and a destination MAC address, just like any normal Ethernet frame.

2

VTEP Encapsulation

The frame arrives at the VTEP (VXLAN Tunnel Endpoint). The VTEP, which may be the hypervisor running the VM or a physical switch, adds the VXLAN header. This header includes the 24-bit VNI that identifies which virtual network the frame belongs to. The original frame remains intact inside the encapsulation.

3

UDP Wrapping

The VTEP then wraps the VXLAN header and the original frame inside a UDP packet. The source UDP port is typically a dynamically assigned port based on the inner frame hash for load balancing. The destination UDP port is 4789. This UDP packet is then placed inside an IP packet with the destination IP address of the remote VTEP.

4

Outer Ethernet and Transmission

The encapsulated packet is given an outer Ethernet header. This header has the MAC address of the next-hop router or switch in the underlay network. The packet is then sent out onto the physical network, where standard IP routing will carry it to the destination VTEP.

5

Underlay Routing

The encapsulated packet travels across the IP network. Routers and switches in the underlay see only the outer IP header. They do not see the original inner frame or the VNI. Each hop forwards the packet based on the destination IP address of the remote VTEP until it arrives at the destination VTEP.

6

VTEP Decapsulation

The destination VTEP receives the packet. It checks the VNI in the VXLAN header to determine which virtual network this traffic belongs to. It then strips off the outer Ethernet, IP, and UDP headers along with the VXLAN header. The original Ethernet frame is extracted.

7

Frame Delivery

The VTEP delivers the original Ethernet frame to the destination virtual machine or server on the correct virtual network. The receiving device processes the frame as if it came from a directly connected local network. The entire encapsulation and decapsulation process is transparent to the endpoints.

Practical Mini-Lesson

To understand VXLAN in practice, start by recognizing that it is an overlay technology. This means you have two networks to think about: the underlay and the overlay. The underlay is your physical network of routers, switches, and cables. The overlay is the logical VXLAN network that your virtual machines and applications use. The key skill is learning how these two layers interact.

When you configure VXLAN, you first ensure the underlay network provides IP connectivity between all VTEPs. This usually means setting up OSPF, EIGRP, or static routes so that every VTEP can reach every other VTEP. You also need to allow UDP port 4789 through any firewalls or ACLs. If you plan to use multicast for flooding and learning, you must configure multicast routing and assign a multicast group to each VNI.

In a hypervisor environment, configuration is often done through the virtualization management platform. For example, in VMware vSphere, you can create a VXLAN network using the NSX overlay. You define a transport zone, specify the VTEP IP addresses, and assign VNIs to logical switches. The hypervisor automatically handles encapsulation and decapsulation for all virtual machines attached to that logical switch.

One common issue that professionals face is MTU (Maximum Transmission Unit) mismatch. Because VXLAN adds 50 bytes of overhead (8 bytes for VXLAN, 8 bytes for UDP, 20 bytes for IP, 14 bytes for outer Ethernet), the underlying physical network must support jumbo frames or the application must reduce its MTU. If not, packets will be fragmented or dropped, causing connectivity problems. The standard fix is to set the MTU on all underlay interfaces to at least 1550 bytes, though 9000 bytes is recommended for data centers.

Another practical consideration is learning and forwarding. In traditional VXLAN without a control plane, the first packet to an unknown destination triggers a flood to all VTEPs in the same VNI. This flood can consume significant bandwidth in large networks. Modern implementations use EVPN as a control plane, where each VTEP advertises the MAC and IP addresses of attached devices to all other VTEPs. This eliminates flooding and provides faster convergence when VMs move.

For troubleshooting, start by checking VTEP reachability. Can the source VTEP ping the destination VTEP? If no, fix the underlay routing. Next, verify that UDP port 4789 is not blocked. Use packet captures to confirm that encapsulated packets are being sent and received. Finally, check the VNI mapping. If a VM is in VNI 100 on one side and VNI 200 on the other, they will not be able to communicate even if the tunnel is up. VNI consistency is critical.

VXLAN connects to broader IT concepts like software-defined networking (SDN), network virtualization, and cloud computing. It is a foundational technology for network function virtualization (NFV) and is used by major cloud providers internally. Understanding VXLAN gives you insight into how modern data centers achieve flexibility at scale, moving from rigid hardware-defined networks to flexible software-defined networks.

Memory Tip

Remember VXLAN by the number 16 million: VXLAN uses a 24-bit identifier which gives over 16 million possible networks, replacing the old limit of 4094 from VLANs. Also recall UDP 4789 - the port VXLAN uses for encapsulation.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

What does VXLAN stand for?

VXLAN stands for Virtual Extensible LAN. The Extensible part refers to its ability to create many more virtual networks than traditional VLANs.

Is VXLAN the same as a VPN?

No. VXLAN is for creating overlay Layer 2 networks across a Layer 3 infrastructure. VPNs provide encrypted tunnels for secure connectivity. VXLAN does not encrypt traffic by default.

Do I need special hardware for VXLAN?

No, many hypervisors support VXLAN in software. However, for high performance, hardware VTEPs in physical switches or smart network cards can offload encapsulation.

Can VXLAN work over the internet?

Yes, as long as the underlay IP network provides connectivity and UDP port 4789 is allowed. For security, VXLAN should be combined with IPsec or another encryption method over the internet.

What is a VTEP?

A VTEP is a VXLAN Tunnel Endpoint. It is the device or software that performs the encapsulation and decapsulation of VXLAN traffic. It can be a hypervisor, a switch, or a router.

Does VXLAN replace routing?

No. VXLAN extends Layer 2 domains, but routing is still needed for traffic that leaves those domains. The underlay network uses IP routing to move encapsulated packets between VTEPs.

What port does VXLAN use?

VXLAN uses UDP destination port 4789 by default. Some implementations may use other ports, but 4789 is the standardized port.

Summary

Virtual Extensible LAN is a powerful network virtualization technology that solves critical scalability and mobility problems in modern data centers. By encapsulating Ethernet frames inside UDP packets with a 24-bit VNI, it allows over 16 million isolated virtual networks to exist on top of any IP infrastructure. This technology is essential for cloud computing, multi-tenant environments, and virtual machine live migration.

For certification exams, focus on the differences between VLANs and VXLAN, the role of VTEPs, the use of UDP port 4789, and the fact that VXLAN is an overlay technology that relies on an underlay IP network. Understanding VXLAN positions you to grasp modern software-defined networking and prepares you for exams like Network+, Cloud+, and CCNA. Remember that VXLAN is not a replacement for security or routing, but a tool for creating flexible, scalable network segments that adapt to the needs of virtualized infrastructure.